If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Please note that you don't have to send deauth packets.. Your attacker can get all the IVs s/he needs by just passively (not sending anything) sniffing your wireless traffic. Cracking is done offline anyway so there's no way to detect this type of attack.

Even MAC address filtering won't help you, just as its easy to sniff the wireless traffic, you'll also see the 'allowed' MAC addresses (those are the ones that are actually communicating).

Passively sniff the WiFi traffic, crack the key, change the MAC to one allowed and enter the network. Noway to detect it.. Unless it happens at 'odd' times (non-office hours).

What I wanted to know was, say an attacker captures 100000 IVs from one Access point, 100000 from another, etc., would they add up to enough to get my WEP key? Or would the fact that they came from different access points mean that the attacker could only use 100000?

AFAIK you cannot 'add up' the IVs. But it's pretty easy to get 1000000+ IVs on even a moderately used WiFi network. So I haven't looked at it in more detail.

Oliver's Law:
Experience is something you don't get until just after you need it.

If you insist on using WEP, at least try to use the 104-bit version rather than the 40-bit one. It will depend on if your hardware will support it, but most cards/APs nowadays are able to use the more secure 104-bit version.

The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

Originally posted here by dmorgan If you insist on using WEP, at least try to use the 104-bit version rather than the 40-bit one. It will depend on if your hardware will support it, but most cards/APs nowadays are able to use the more secure 104-bit version.

One thing to keep in mind, the 104-bit verion does take 1 million or more iv frame packets to break the key. depending on how close they can get to one of your AP's, this can be done in under an hour. Most people would not go through this trouble unless they are after something on the otherside of the network. In which case wpa2 is your only real option.
I do understand you'll be monitoring for injection, but it will appear as traffic coming from one of your own stations should someone start injecting packets.

edit: Oh yeah and while aircrack can only crack on ssid at a time, airodump can capture anything in the 802 spectrum as well as only a specific channel or even just from a specfic mac address of an ap. Which makes it easy to see which ap has activity and catch that packet needed for injection.

I don't think there's a way that an attacker could easily know that the several APs have the same WEP key, so they'd need to crack them separately.

If they did magically know that they had the same WEP key, yes it would make it easier as they could combine the IVs. However aircrack probably won't normally do this (combine IVs from different BSSIDs), so I imagine they'd need to knock up their own software to do it.

I don't beleive it would take too much to write a sript that did a search and replace on the mac addresses in a capture file. But without the knowledge that all the keys are the same I dont see why anyone would at all.